Active Directory Recycle Bin

Active Directory Recycle Bin

If you accidentally delete something in Active Directory, it can be difficult to undo. Fortunately, you can enable a recycle bin for Active Directory, making life much easier if you need to restore something.

The Active Directory Recycle Bin (sometimes called ADRB) was first introduced in Windows Server 2008 R2. You need to enable it to take advantage of it. You can never turn it off once you enable the Active Directory Recycle Bin.

Once the Active Directory Recycle Bin is enabled, when you delete an object out of Active Directory, the object is not instantly deleted. It is placed in the Active Directory Recycle Bin for some time. After some time has passed, the object is actually permanently deleted. The default retention for the recycle bin is 180 days.

In this post, I will show you step-by-step how to check the Active Directory Recycle Bin status using the GUI or PowerShell, how to enable the Active Directory Recycle Bin with the GUI or PowerShell and how to check the Active Directory Recycle Bin retention using the GUI or PowerShell.

Prerequisites

Checking Active Directory Recycle Bin Status

Before enabling the Active Directory Recycle Bin, it’s a good idea to check if it’s already enabled.

GUI Way

If the enable recycle bin option is selectable, then the recycle bin has yet to be enabled.

PowerShell Way

Get-ADOptionalFeature "Recycle Bin Feature"Code language: PowerShell (powershell)

If the enabled scopes are blank, the recycle bin has not yet been enabled.

Enable Active Directory Recycle Bin

GUI Way

PowerShell Way

Enable-ADOptionalFeature "Recycle Bin Feature" -server ((Get-ADForest -Current LocalComputer).DomainNamingMaster) -Scope ForestOrConfigurationSet -Target (Get-ADForest -Current LocalComputer)Code language: PowerShell (powershell)

Active Directory Recycle Bin Retention

Once the Active Directory Recycle Bin has been enabled, when an object is deleted from Active Directory it is sent to the recycle bin. Once the retention period has passed for that object, it is then deleted. Here’s how to check the retention.

GUI Way

If the msDS-DeletedObjectLifetime attribute is not set, that’s fine, as it will follow the settings set in another attribute.

The value defined in msDS-DeletedObjectLifetime or tombstoneLifetime is the retention for how long items will live in the recycle bin before permanent deletion. If msDS-DeletedObjectLifetime is set, then the recycle bin will honor that setting.

PowerShell Way

Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -Properties * | select tombstoneLifetime, msDS-DeletedObjectLifetime, DistinguishedName | flCode language: PowerShell (powershell)

The value defined in msDS-DeletedObjectLifetime or tombstoneLifetime is the retention for how long items will live in the recycle bin before permanent deletion. If msDS-DeletedObjectLifetime is set, then the Active Directory Recycle Bin will honor that setting.

Summary

That’s all it takes to check if the Active Directory Recycle Bin is enabled when using the GUI or PowerShell, how to enable the Active Directory Recycle Bin using the GUI or PowerShell and how to check the Active Directory Recycle Bin retention settings using the GUI or PowerShell.

I think everyone should enable the Active Directory Recycle Bin. I wonder why it isn’t on by default. Either way, enabling it is straightforward.

If you want to read more about the Active Directory Recycle Bin, here is the Microsoft documentation.

Exit mobile version